Open tekowalsky opened 1 year ago
jade "~1.11.0" in /server/package.json is dependent on constantinople 3.0.2 jade was last update 8 years ago. Replaced by pug
constantinople 3.0.2 has a sandbox bypass vulnerability leading to arbitrary code execution. The earliest fixed version of constantinople is 3.1.1
https://osv.dev/vulnerability/GHSA-4vmm-mhcq-4x9j
jade also creates a dependency on critically vulnerable version 2.2.5 of uglify-js via transformers 2.1.0
It means 200+ projects are vulnerable to rce
jade "~1.11.0" in /server/package.json is dependent on constantinople 3.0.2 jade was last update 8 years ago.
Replaced by pug
constantinople 3.0.2 has a sandbox bypass vulnerability leading to arbitrary code execution. The earliest fixed version of constantinople is 3.1.1
https://osv.dev/vulnerability/GHSA-4vmm-mhcq-4x9j